Nearshore Americas

Breakdown: A CX Provider Opens the Door to Apple Getting Hacked

Not even the almighty Apple is safe from the wits of hackers and the vulnerabilities of its own third party providers. The company is among the latest victims of a hack made possible by exploitable routes in the systems shared with a contractor hired for customer support.

The recent cyberattack on Apple highlights a concerning trend for businesses of all shapes and sizes: third party partnerships, though helpful and even necessary in some cases, can be seen by hackers as an opening into their systems. 

What happened?: A former Apple security researcher (Noah Roskin-Frazee) and a co-conspirator (Keith Latteri) were accused of breaking into the company’s systems and stealing US$2.5 million worth of Apple gift cards, plus US$100,000 in company products and services.

  • Both men allegedly accessed Apple’s systems through an unnamed provider of customer support services. According to the accusation, this hack cost the contractor over US$3 million in losses.
  • The Apple merch was allegedly acquired through over two dozen fake orders and resold to third parties. 

Naming the names: Neither Apple nor the CX provider are explicitly identified in the public version of the indictment

  • The court papers speak of “Company A”, described as “a corporation headquartered in Cupertino, California, which developed, manufactured, licensed, supported and sold computer software, consumer electronics, personal computers and services,” a description which fits Apple. 
    • Apple credited Mr. Roskin-Frazee for a CVE (common vulnerabilities and exposures) report in a security update released in late January of 2024.
  • The third party contractor –identified as “Company B” in the court papers– is described only as “a corporation headquartered in Fremont, California, which provided customer experience solutions and services to other companies.”
  • We reached out to Apple for comment. The company has yet to respond.

How did it happen?: Both defendants allegedly used “the Internet and a password reset tool” to access the systems and protected computers of the CX provider.

  • The contractor’s CX agents had access to Apple’s systems, which they logged into through a VPN network. Some access was granted to remote workers through a desktop app.
  • As part of their job, agents used an internal Apple database and “Toolbox” program to review, manage and edit product and services orders. 
  • The unidentified contractor also maintained a JAMF Mobile Device Management Platform to configure Apple devices. 
  • The defendants allegedly leveraged the JAMF platform to remotely access computers used by employees of the contractor, logging them into remote desktop sharing sessions. These computers were located in India and Costa Rica. 

Zoom out: Cybersecurity firms have for years warned of the vulnerabilities faced by BPO providers and other third party contractors. Recent events have given credence to their warnings.

  • Bank of America blamed Infosys McCamish Systems for a data breach which exposed the personal and financial information of over 57,000 of its customers.
  • Outsourcing firm Capita –which provides service to the UK government– said it expected a £20 million (US$25.2 million) hit from a cyberattack which exposed customer, supplier and staff data.
  • US government contractor Serco reported last year that a third-party provider of theirs (CBIZ) had been hacked through MoveIT, compromising the personal information of 10,000 individuals.  

Blast from the past: Apple itself warned about potential threat vectors among cloud service vendors and other providers of third-party software.

  • “Hackers only need to exploit vulnerabilities in third-party software or a vendor’s system to gain access to the data stored by every organization that relies on that vendor,” the company stated in a report published December of 2023.
  • “Corporations and institutions increasingly rely on third-party software and vendors for their daily operations, including accounting software, technical software and file transfer or security services,” the report adds. “Once these software packages are installed in an organization’s systems, they often provide vendors with unfettered access (through a ‘side door’) to the organization’s network so that they can provide services such as software updates.” 

Expert comments: Lisa McStay, COO at Contiuity2, a provider of software for business continuity management, commented that it is not uncommon for third-party partners to have weak cyberdefenses, at least when compared to those of their bigger customers. 

  • “Criminals know this and use this approach to bypass your otherwise unbreachable cybersecurity,” she said. “You should vet the security measures of your partners and ask for regular security audits. This will increase the security and safety of everyone involved. However, also having clear communication and cybersecurity protocols in the event of a breach is also a must”.

Nic Adams, CEO at cybersecurity firm Orcus, agreed on the need for companies to be more thourough in monitoring and auditing their third-party partners, adding that they should limit system access to their partners, employ a layerd security approach and demand specific security requirements and obligations in service contracts.

  • For service providers, Mr. Adams recommended regular security assessments, ongoing security training for employees, the implementation of stringent access control measures and transparency in communication with clients about security policies, practices and incidents.

NSAM’s Take: Given the proliferation of hacking tools and expertise, plus the increasing digitalization of businesses and organizations, and the growing reliance on third-party partnerships, some analysts have characterized cyberattacks and data breaches as practically inevitable

But even those who share such a grim outlook agree that cyberattacks should be made as improbable as can be. Which means that customers and their third-party providers should have more serious conversations about how to shield themselves from all directions; including those coming from partners.

Hacks like the one suffered by Apple will turn the screws on all sorts of third-party providers –be that of CX, back-office business services or software– to increase their security standards. In the whole spectrum of compliance, cybersecurity has emerged as one of the non-negotiable aspects for the buyside in third-party contracts.

One also has to wonder about what this will mean for service providers who try to stick to a hybrid or even fully remote labor model. Much has been said about business leaders dragging employees back into the office, but several companies have been themselves forced back to on-premises delivery by customers concerned about lax security in a remote setup. 

As cyberattacks targeting third-party providers become more common, one can expect clients to demand as many security guarantees as possible. Guarantees which might include on-premises delivery.

Sign up for our Nearshore Americas newsletter:


Cybersecurity has for years been mentioned by business leaders among their top priorities for tech investment. In a recent survey by IT infrastructure vendor Softcat, over half of respondents put it in its top three priorities for IT spend. The proliferation of security breaches will only make the need for good cyberdefenses more urgent, further increasing prices for an already expensive service. 

The aforementioned situation might open doors to offshore and nearshore service providers. Nevertheless, the pressure to comply with security standards and deliver might be considerably higher for these given the complications of cross-border service contracts and the distrust some US and European organizations still hold towards non-national providers of cybersecurity.

Cesar Cantu

Cesar is the Managing Editor of Nearshore Americas. He's a journalist based in Mexico City, with experience covering foreign trade policy, agribusiness and the food industry in Mexico and Latin America.

Add comment